b'    DEPARTMENT OF HOMELAND SECURITY\n\n            Office of Inspector General\n\n\n                Security Weaknesses Increase \n\n                Risks to Critical United States \n\n            Citizenship and Immigration Services \n\n                           Database \n\n                          (Redacted)\n\n\n\n\n\nNotice: The Department of Homeland Security, Office of Inspector General, has redacted this report\nfor public release. The redactions are identified as (b)(2), comparable to 5 U.S.C. \xc2\xa7 552(b)(2). A\nreview under the Freedom of Information Act will be conducted upon request.\n\n\n\n\n                    Office of Information Technology\n\n   OIG-05-42                                                September 2005\n\x0c                                                                       Office of Inspector General\n\n                                                                       U.S. Department of Homeland Security\n                                                                       Washington, DC 20528\n\n\n\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our\nDHS oversight responsibilities to promote economy, effectiveness, and efficiency within the\ndepartment.\n\nThis report assesses the strengths and weaknesses of database security controls over United States\nCitizenship and Immigration Services (USCIS) database resources. It is based on interviews with\nUSCIS officials, direct observations, technical tests, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our office, and\nhave been discussed in draft with those responsible for implementation. It is our hope that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner           \n\n                                      Inspector General        \n\n\x0cTable of Contents/Abbreviations \n\n\n\n  Executive Summary ...................................................................................................................... 1 \n\n\n  Background ................................................................................................................................... 3 \n\n\n  Results of Audit ............................................................................................................................ 5 \n\n\n       Strengthening of Database Security Procedures Is Needed.................................................... 5 \n\n       Recommendations................................................................................................................... 9 \n\n       Management Comments and OIG Analysis ........................................................................... 10 \n\n\nAppendices\n  Appendix A:            Purpose, Scope, and Methodology ...................................................................... 13 \n\n  Appendix B:            Management\xe2\x80\x99s Response..................................................................................... 15 \n\n  Appendix C:            FISMA Metrics.................................................................................................... 20 \n\n  Appendix D:            Major Contributors to this Report ....................................................................... 22 \n\n  Appendix E:            Report Distribution.............................................................................................. 23 \n\n\n\nAbbreviations\n  ATL                            Advanced Technology Laboratory \n\n  ATO                            Authority to Operate      \n\n  C&A                            Certification and Accreditation \n\n  CIO                            Chief Information Officer \n\n  DBMS                           Database Management System\n\n  DHS                            Department of Homeland Security \n\n  DHS Handbook                   DHS Sensitive Systems Handbook \n\n  DHS Policy                     DHS Sensitive Systems Policy Publication 4300A \n\n  DOJ                            Department of Justice \n\n  FISMA                          Federal Information Security Management Act of 2002 \n\n  ICE                            United States Immigration and Customs Enforcement \n\n  ISSO                           Information Systems Security Officer \n\n  IT                             Information Technology       \n\n  NIST                           National Institute of Standards and Technology\n\n  OIG                            Office of Inspector General \n\n  OMB                            Office of Management and Budget \n\n  POA&M                          Plan of Action and Milestones \n\n\n\n                          Security Weaknesses Increase Risks to Critical USCIS Database\n\x0cTable of Contents/Abbreviations \n\n\n  USCIS         United States Citizenship and Immigration Services\n  SP            Special Publication\n\n\n\n\n           Security Weaknesses Increase Risks to Critical USCIS Database\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\n\n\nExecutive Summary\n\n                          We audited the Department of Homeland Security (DHS) and its organizational\n                          components\xe2\x80\x99 security program to evaluate the security and integrity of select\n                          sensitive but unclassified mission critical databases.1 This audit included\n                          reviews of access controls, change management, and continuity of operations\n                          policies and procedures. This report assesses the strengths and weaknesses of\n                          security controls over United States Citizenship and Immigration Services\n                          (USCIS) database resources.\n\n                          Our objective was to determine whether USCIS had implemented adequate and\n                          effective controls over sensitive data contained in its Central Index System.\n                          Information contained in the Central Index System is used to assist in the\n                          enforcement of United States immigration laws. We interviewed USCIS\n                          officials, reviewed database security documents, and performed technical tests\n                          of the Central Index System mainframe computer.\n\n                          Although USCIS has not established adequate or effective database security\n                          controls for the Central Index System, it has implemented many essential\n                          security controls such as procedures for controlling temporary or emergency\n                          system access, a configuration management plan, and procedures for\n                          implementing routine and emergency changes. Further, we did not identify any\n                          significant configuration weaknesses during our technical tests of the Central\n                          Index System. However, additional work remains to implement the access\n                          controls, configuration management procedures, and continuity of operations\n                          safeguards necessary to protect sensitive Central Index System data effectively.\n                          Specifically, USCIS has not: 1) implemented effective user administration\n\n\n1\n  DHS \xe2\x80\x9corganizational components\xe2\x80\x9d are defined as directorates, including organizational elements and bureaus, and critical\nagencies.\n\n\n                          Security Weaknesses Increase Risks to Critical USCIS Database\n                                                              Page 1\n\x0c                           procedures; 2) reviewed and retained -                                 - effectively;2\n                           3) ensured that system changes are properly controlled; 4) developed and tested\n                           an adequate Information Technology (IT) contingency plan; 5) implemented\n                           ------------------------------------------------------------------------ ; or, 6) monitored\n                           system security functions sufficiently. These database security exposures\n                           increase the risk that unauthorized individuals could gain access to critical\n                           USCIS database resources and compromise the confidentiality, integrity, and\n                           availability of sensitive Central Index System data. ------ - - ----------- - ---------\n                           ------------------------- -------------------------- ---\n\n                           Following the completion of our review, USCIS officials stated that they have\n                           already taken or plan to take corrective action to address some of the\n                           weaknesses we identified. As our fieldwork was complete, we did not verify\n                           that the weaknesses had been remedied.\n\n                           We recommend that USCIS Director instruct the Chief Information Officer\n                           (CIO) to:\n                               \xe2\x80\xa2 \t Ensure that adequate controls for granting, monitoring, and removing\n                                   user access to the Central Index System are implemented.\n                               \xe2\x80\xa2 \t Review and retain -                              - on the Central Index System.\n                               \xe2\x80\xa2 \t Ensure that system changes to the Central Index System are adequately\n                                   controlled.\n                               \xe2\x80\xa2 \t Develop and test a Central Index System IT contingency plan.\n                               \xe2\x80\xa2 \t Examine methods to implement -\n                                   ----------------------------------------- .\n                               \xe2\x80\xa2 \t Monitor system security functions for the Central Index System.\n\n                           In addition, to comply with the Office of Management and Budget\xe2\x80\x99s (OMB)\n                           Federal Information Security Management Act of 2002 (FISMA) reporting\n                           requirements, we evaluated the effectiveness of the USCIS\xe2\x80\x99 information\n                           security program and practices as implemented for the Central Index System.3\n                           USCIS has not aligned fully its security program with DHS\xe2\x80\x99 overall policies,\n                           procedures, or practices. For example, security controls are not routinely tested\n                           and evaluated; a contingency plan has not been established and tested; and,\n2\n  Audit trails maintain a record of system activity both by system and application processes and by users of the systems and \n\napplications. The audit trail is the evidence that demonstrates how a specific transaction was initiated, processed, and \n\nsummarized. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, \n\nperformance problems, and flaws in applications. \n\n3\n  FISMA is included under Title III of the E-Government Act of 2002 (Public Law 107-347). \n\n\n\n                           Security Weaknesses Increase Risks to Critical USCIS Database\n                                                               Page 2\n\x0c                          system and database administrators have not obtained specialized security\n                          training. Appendix C summarizes the results of our FISMA evaluation.\n\n                          Fieldwork was conducted from January to May 2005 at USCIS and United\n                          States Immigration and Customs Enforcement (ICE) facilities in Washington,\n                          DC; the Department of Justice (DOJ) Justice Data Centers in ------------------\n                          and ------------- ; and, the Office of Inspector General\xe2\x80\x99s (OIG) Advanced\n                          Technology Laboratory (ATL).4 See Appendix A for our purpose, scope, and\n                          methodology.\n\n                          In response to our draft report, the USCIS Acting Deputy Director concurred\n                          with our recommendations and is in the process of implementing corrective\n                          measures. In addition, USCIS is in the process of building an IT Security\n                          Office and implementing security, privacy, systems development, and\n                          continuity of operations best practices. USCIS\xe2\x80\x99 response is summarized and\n                          evaluated in the body of this report and included, in its entirety, as Appendix B.\n\nBackground\n                          A database is one or more large structured sets of data (fields, records, and files)\n                          organized so that the data can be easily accessed, managed, and updated. Most\n                          often, databases are associated with software used to update and query the data,\n                          called a database management system (DBMS). The DBMS can be an\n                          extremely complex set of software programs that controls the organization,\n                          storage, and retrieval of data in a database. In addition, the DBMS, in\n                          conjunction with its host operating system, controls access to the data and\n                          ensures the security and integrity of the database. DBMS\xe2\x80\x99 can be classified\n                          according to their architectural model (e.g., relational, hierarchical, or network),\n                          and can be centralized on one platform or distributed across multiple servers.\n\n                          Databases and DBMS\xe2\x80\x99 have become a more frequent target of attack for\n                          malicious users. Such an attack can result in financial loss, loss of privacy, or a\n                          breach of national security as well as the many other varieties of corruption that\n                          result from unauthorized access to sensitive data. To counter this threat, a\n                          number of security options are available to protect the data housed in databases.\n                          For these measures to be effective, however, DBMS security controls must be\n                          properly configured and maintained. In addition, as database products have\n                          become more complex and the attacks against them have increased, a number of\n\n4\n The ATL supports our capability to perform effective and efficient technical assessments of DHS information systems\nand diverse operating environments. The ATL is a collection of hardware and software that allows the simulation, testing,\nand evaluation of the computing environments that are most commonly used within DHS.\n\n\n                          Security Weaknesses Increase Risks to Critical USCIS Database\n                                                              Page 3\n\x0cvulnerabilities have been identified that could be exploited by attackers. DBMS\nvendors have responded by issuing patches or fixes for discovered\nvulnerabilities. These patches must be applied\xe2\x80\x94quickly and appropriately\xe2\x80\x94to\nensure that critical data is protected adequately.\n\nThe Central Index System was established in 1985 to assist in the enforcement\nof the immigration laws of the United States. The system contains information\non the status of approximately 55 million individuals, including permanent\nresidents, naturalized citizens, border crossers, apprehended aliens, aliens issued\nemployment authorization, and others of interest to the federal government.\nThis system helps ensure proper entry decisions by providing DHS field offices,\nports of entry, and examination and inspection sites prompt access to\nbiographical and status information on those seeking legal entry to or residence\nin the United States. Also, the Central Index System assists the department in\nthe identification of individuals who violate the terms of their stay, who enter\nthe United States illegally, or who are otherwise not entitled to entry or benefits.\n\nThe Central Index System resides on a mainframe computer at the DOJ Justice\nData Center in ------------- . The system employs a ------------------------- using\n-------------------------------------------- DBMS, -- ---- --- operating system, and\n-                  security software. Currently, there are over 33,000 Central\nIndex System users, including officials from DHS, the Central Intelligence\nAgency, Drug Enforcement Administration, Federal Bureau of Investigation,\nDepartment of State, and congressional committees. Central Index System\nusers access the system through a wide area network connection from locations\nthroughout the country as well as some overseas sites.\n\nDHS Sensitive Systems Policy Publication 4300A (DHS Policy) provides\ndirection to DHS components regarding the management and protection of\nsensitive systems. Also, this policy outlines the management, operational, and\ntechnical controls necessary to ensure confidentiality, integrity, availability, and\nauthenticity within the DHS IT infrastructure and operations. DHS Policy\nrequires that its components ensure that strong access controls, IT contingency\nplanning safeguards, and change and configuration management procedures are\nimplemented for all systems processing sensitive but unclassified information.\nThe department developed the DHS Sensitive Systems Handbook\n(DHS Handbook) to provide components with specific techniques and\nprocedures for implementing the requirements of this policy.\n\nThe National Institute of Standards and Technology (NIST) has issued several\npublications related to database system access controls, change and\nconfiguration management, and IT contingency planning. Specifically, NIST\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                    Page 4\n\x0c               Special Publication (SP) 800-12, An Introduction to Computer Security: The\n               NIST Handbook, provides guidance for establishing adequate access controls for\n               sensitive government systems, including the use of strong passwords,\n               encryption, and user administration practices. Also, NIST SP 800-12 provides\n               guidance on effectively controlling changes to sensitive information systems.\n               Further, NIST SP 800-34, Contingency Planning Guide for Information\n               Technology Systems, provides instructions, recommendations, and\n               considerations for government IT contingency planning.\n\n\nResults of Audit\n\n  Strengthening of Database Security Procedures Is Needed\n               USCIS has not developed or implemented the security controls necessary to\n               protect the Central Index System and its data. In assessing the procedures\n               governing the security of sensitive data contained in the Central Index System,\n               we identified user administration, auditing, change management, IT contingency\n               planning, -                  system security monitoring weaknesses. Therefore,\n               there is significant risk that the security procedures protecting the Central Index\n               System may not prevent unauthorized access to its systems and data. In\n               addition, USCIS may not be able to recover Central Index System operations\n               following a disaster or disruption.\n\n               User Administration Procedures Are Incomplete\n\n               USCIS has implemented a process to grant, monitor, and remove Central Index\n               System user access, which includes controls to protect access to the system and\n               its data. For example, USCIS has established a process to control emergency\n               and temporary user access, as well as a process to disable accounts after --- days\n               of inactivity. However, additional procedures must be implemented to ensure\n               that access to the Central Index System is restricted appropriately. From a\n               random sample of 20 active Central Index System user accounts, we identified\n               three users who had access rights that had not been authorized, including one\n               user with administrator rights to the system. Central Index System officials\n               stated that the access permissions for two of the accounts were not updated\n               because of a system administrator error. In addition, the supervisor for the user\n               with privileged access stated that she had verbally requested that this access be\n               revoked. However, since a formal access change form had not been submitted,\n               the user\xe2\x80\x99s administrator rights were not rescinded.\n\n\n\n\n               Security Weaknesses Increase Risks to Critical USCIS Database\n                                                   Page 5\n\x0c                           DHS Policy requires that access is controlled and limited based on positive user\n                           identification and authentication mechanisms, which support the minimum\n                           requirements of access control, least privilege, and system integrity.5 Since\n                           Central Index System user administration procedures have not been fully\n                           implemented, there is increased risk that inappropriate individuals may access\n                           sensitive Central Index System data. As a result, sensitive system information\n                           may not be protected adequately.\n\n                           Central Index System Auditing Is Inadequate\n\n                           USCIS does not have procedures to periodically review -                                   -\n                           --- - --- ------ for the Central Index System. USCIS records pertinent information\n                           related to certain -------------------- ----- -----------------------------------------\n                           -------------------------------------------- - -- ------------------------ ----------------\n                           ---------- . While -------------------- ------- -------------------------------------- - --- ,\n                           --------------------------------------------- -------------------------------------------\n                           ------------------------------------------------- ---------------------------------------------\n                           -                                                     . In addition, although -\n                                          are retained, -                                  are kept for only two years\n                           because the Central Index System mainframe administrators were not aware of\n                           DHS audit trail retention requirements.\n\n                           Audit trails help ensure individual accountability by tracking a user\xe2\x80\x99s activities\n                           while accessing an automated system. However, to be effective, significant\n                           security events must be recorded and the audit trails must be reviewed and\n                           retained. According to the DHS Handbook, the review of audit trail information\n                           is essential because unauthorized access, modification, or destruction of data\n                           may be discovered only through the review process. Also, the DHS Handbook\n                           requires that Information Systems Security Officers (ISSO) review audit trail\n                           information weekly or in accordance with the system security plan, and that\n                           audit trail information be retained for seven years. Due to the lack of adequate\n                           audit review and retention procedures, inappropriate access to sensitive data or\n                           malicious changes to the Central Index System may not be detected or\n                           investigated.\n\n                           A Central Index System Upgrade Was Not Adequately Controlled\n\n                           USCIS has established a configuration management plan and change\n                           management procedures for controlling routine and emergency changes to the\n\n5\n The principle of least privilege requires that users be given the most restrictive set of privileges needed to perform\nauthorized tasks.\n\n\n                           Security Weaknesses Increase Risks to Critical USCIS Database\n                                                               Page 6\n\x0cCentral Index System. Further, USCIS has implemented a process to conduct\nannual reviews of a sample of changes to Central Index System applications.\nHowever, USCIS has not ensured that all changes to the Central Index System\ngo through the established change management process. Specifically, we\nidentified an upgrade to the Central Index System DBMS, conducted in April\n2005, which, due to an administrative error, did not go through the established\nreview and approval process for system changes. USCIS officials stated that\nthey are working to ensure that similar omissions do not occur in the future.\n\nDHS Policy requires that organizational components establish, implement, and\nenforce change management and configuration management controls on all IT\nsystems and networks. Further, the DHS Handbook requires that the initial\nconfiguration of a system be documented in detail, and that all subsequent\nchanges to any components of the system be controlled through a complete and\nrobust change management process. Because the Central Index System upgrade\ndid not go through the established change management process, there was\ngreater risk that the confidentiality, availability, or integrity of the system and\nits data would be compromised.\n\nAn IT Contingency Plan Has Not Been Developed and Tested\n\nAlthough USCIS has developed and tested an IT contingency plan for the\nCentral Index System mainframe operating system and general support systems,\nthe IT contingency plan for the system\xe2\x80\x99s applications does not contain all of the\ninformation necessary to ensure that the system can be recovered. For example,\nthe plan does not include -\n-\n--------------------------------------- Further, the IT contingency plan for the\nsystem\xe2\x80\x99s applications has not been tested. USCIS officials stated that they are\nnot aware of any plans to update the IT contingency plan for Central Index\nSystem applications.\n\nIn addition, we identified the following issues related to Central Index System\ndata backup and restoration procedures:\n    \xe2\x80\xa2 \t The backup tapes used for offsite storage of sensitive Central Index\n        System data -\n        Although adequate physical security measures are maintained at the\n        contracted offsite storage facility, -\n        ------------------------------ -------------- --------------------- ----------\n        ----------------------------------------------------------------------- -----\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                    Page 7\n\x0c     \xe2\x80\xa2 \t Although the restoration of operating system files is periodically tested,\n         USCIS has not conducted a formal test of backup and restoration\n         procedures for Central Index System applications and data.\n\nDHS Policy requires that comprehensive IT contingency plans be developed,\ntested, exercised, and maintained for critical major applications and general\nsupport systems. Also, DHS requires that quarterly tests of data backup and\nrestoration procedures be performed.\n\nThe non-availability of sensitive information processed and stored by the\nCentral Index System could significantly impact USCIS and DHS missions.\nContingency planning is essential because it establishes the plans, procedures,\nand technical measures necessary to recover a system quickly and effectively\nfollowing a service outage or disaster. IT contingency plan testing enables\ndeficiencies to be identified and addressed, and helps evaluate the ability of the\nrecovery staff to implement the plan quickly and effectively. Formal tests of\nestablished data restoration procedures are an integral part of testing the overall\ncontingency plan, and help ensure that all necessary data can be recovered in the\nevent of a disaster. As a result of the lack of adequate contingency planning and\ntesting for the system, including tests of the Central Index System data\nrestoration process, USCIS lacks assurance that it will be able to resume\noperations following a disaster.\n\n\t-                      Has Not Been Implemented\n\nUSCIS has not implemented -------------------- to protect sensitive Central Index\nSystem data. Specifically, USCIS is not -\n------------------------------------------ --------------------- . The component\nconducted a pilot test of -------------- --------------- , but did not purchase the\nsoftware because of its cost.\n\nAccording to the DHS Handbook, --------------- -- reliable and achievable way to\nensure confidentiality for sensitive data. DHS Policy requires that the\ndepartment\xe2\x80\x99s components identify IT systems transmitting sensitive information\nthat may require protection, and develop ------------------- for their sensitive IT\nsystems. In addition, NIST recommends that ----------------------- be\nimplemented to protect the integrity and confidentiality of critical data and\nsoftware programs. As a result of these -                          , an individual\ncould -\n------------------- .\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                    Page 8\n\x0c                         USCIS Is Not Monitoring System Security Functions Adequately\n\n                         USCIS is not monitoring sufficiently the security activities performed by ICE\n                         and DOJ personnel for the Central Index System.6 Specifically, USCIS does\n                         not have a process to verify that ICE and DOJ information technology staff are\n                         performing necessary security or user administration functions for the Central\n                         Index System and personnel. For example, USCIS personnel do not\n                         -                                         - or perform periodic vulnerability\n                         assessments or configuration reviews. Further, USCIS does not ensure that\n                         these functions are being performed by ICE and DOJ personnel.\n\n                         According to officials, USCIS cannot provide security oversight for the Central\n                         Index System because of resource constraints; the Central Index System ISSO\n                         position is a collateral duty; and, the transition of certain IT functions from ICE\n                         to USCIS is still in progress. However, the Information Systems Security\n                         Manager stated that USCIS is currently working to address this issue.\n\n                         FISMA requires that senior agency officials provide security for the information\n                         and information systems that support the operations and assets under their\n                         control. Without an established process to monitor the quality of user\n                         administration and security management functions performed by ICE and DOJ\n                         officials, USCIS lacks assurance that sufficient security is provided for the\n                         Central Index System and its data.\n\n                         Recommendations\n\n                         To protect sensitive Central Index System data, we recommend that the USCIS\n                         Director instruct the CIO to:\n                              1. \t Strengthen procedures to ensure that adequate controls for granting,\n                                   monitoring, and removing user access to the Central Index System are\n                                   implemented according to DHS requirements and NIST guidelines.\n                              2. \t Review and retain -                       to facilitate the detection and\n                                   investigation of inappropriate access or malicious changes to the Central\n                                   Index System.\n\n\n\n6\n USCIS and ICE were part of the former Immigration and Naturalization Service of the DOJ. The Central Index System\ncurrently resides on a mainframe computer housed at a DOJ facility. The operating system of the Central Index System\nmainframe computer is controlled and administered by DOJ personnel. In addition, ICE personnel and contractors provide\ndevelopment and operations support for the Central Index System.\n\n\n                         Security Weaknesses Increase Risks to Critical USCIS Database\n                                                             Page 9\n\x0c                                 3. \t Strengthen change management procedures to ensure that routine and\n                                      emergency modifications to the Central Index System are adequately\n                                      controlled; and, consider strengthening the annual change management\n                                      review process.\n                                 4. \t Develop an adequate IT contingency plan for Central Index System\n                                      applications; and, ensure that annual tests of the plan and quarterly tests\n                                      of data restoration procedures are conducted.\n                                 5. \t Examine methods to implement -\n                                      ----------------------------- -------------------------- ---------------------\n                                      -\n                                 6. \t Monitor Central Index System security functions to ensure that adequate\n                                      security is provided for the system and its data.\n\n                             Management Comments and OIG Analysis\n\n                             USCIS concurs with recommendation 1. USCIS plans to assume control of user\n                             administration functions for USCIS\xe2\x80\x99 major applications, including the Central\n                             Index System, in fiscal year 2006.7 Once implemented, the new user\n                             administration procedures will include the documentation and maintenance of\n                             system access authorizations at USCIS, ISSO review of access requests, as well\n                             as annual recertification of user access privileges by the ISSO.\n\n                             We accept USCIS\xe2\x80\x99 response to enhance its controls for granting, monitoring,\n                             and removing user access to the Central Index System.\n\n                             USCIS concurs with recommendation 2. USCIS plans to address DHS audit file\n                             content, review, and retention requirements at the -------------------- -----------\n                             -------------------------------------------------- layers. In addition, USCIS plans to\n                             establish procedures for the Central Index System ISSO to conduct daily\n                             reviews of ------------------------ and security reports by April 30, 2006.\n\n                             We accept USCIS\xe2\x80\x99 response to implement DHS audit file content and retention\n                             requirements, as well as daily reviews of Central Index System -\n                             -          . However, USCIS should establish a timeline for the\n                             implementation DHS\xe2\x80\x99 audit retention requirements.\n\n                             USCIS concurs with recommendation 3. USCIS is in the process of updating its\n                             change control/change management process to better address security and\n                             emergency changes. USCIS plans to implement the updated process by\n\n7\n    ICE personnel currently perform user administration functions for the Central Index System.\n\n\n                             Security Weaknesses Increase Risks to Critical USCIS Database\n                                                                Page 10\n\x0cOctober 1, 2005. In addition, the USCIS Office of the CIO will reanalyze\nrecent changes to the Central Index System applications and verify that the\nchanges were properly reviewed, tested, and authorized via the change control\nprocess. Beginning in fiscal year 2006, these reviews will be conducted at least\nevery quarter.\n\nWe agree that the actions USCIS plans to take satisfy the intent of the\nrecommendation.\n\nUSCIS concurs with recommendation 4. USCIS is planning to reassess all of\nthe component\xe2\x80\x99s major applications and general support systems, beginning in\nthe first quarter of fiscal year 2006. This process will include an assessment of\neach system\xe2\x80\x99s existing contingency plan, as well as the use of a standard\ntemplate to develop site and application specific contingency plans. Once the\nplans have been developed, USCIS will establish a process to conduct annual\ntests of the plans.\n\nWe accept USCIS\xe2\x80\x99 response to develop and annually test an IT contingency\nplan for the Central Index System. However, USCIS did not indicate that\nquarterly data restoration tests would be performed. We maintain that USCIS\nshould have a process to ensure that quarterly data restoration tests are\nconducted, in accordance with DHS requirements.\n\nUSCIS concurs with recommendation 5. USCIS plans to reexamine its\ninformation classification guidelines as well as all information classifications\nduring the first quarter of fiscal year 2006, to ensure that appropriate security\ncontrols have been implemented. However, USCIS plans to decommission the\nCentral Index System as part of its IT Transformation Program. The Central\nIndex System will be replaced by one or more systems that include more\nstringent security controls, -                     .\n\nWe accept USCIS\xe2\x80\x99 response to reexamine its information classifications as well\nas implement -                    for the Central Index System\xe2\x80\x99s replacement\nsystems. However, until ------------- --------- are implemented, USCIS should\ndocument the risk associated with ----- ------------------------------------- and\nensure that the designated approving authority formally accepts this risk.\n\nUSCIS concurs with recommendation 6. USCIS is taking steps to improve\nsecurity monitoring and incident reporting for the Central Index System. In\naddition to the corrective actions listed for OIG recommendations 1-5, USCIS\nhas transferred ISSO responsibilities from the Office of Records Services to the\nOffice of the CIO and appointed a new ISSO for the system. USCIS is\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 11\n\x0ccurrently in the process of implementing revised security procedures and\ncontrols, as well as defining the duties and responsibilities for the ISSO. USCIS\nplans to complete these activities by September 30, 2005. In addition, the\nOffice of the CIO plans to reexamine the user administration and management\nprocedures for the Central Index System, beginning in the first quarter of fiscal\nyear 2005.\n\nWe agree that the actions USCIS plans to take satisfy the intent of the\nrecommendation.\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 12\n\x0c               Appendix A\n               Purpose, Scope, and Methodology\n\n\n\n\nPurpose, Scope, and Methodology\n               The objective of this audit was to determine whether DHS has implemented\n               adequate and effective controls over sensitive data contained in its mission\n               critical databases. As part of our audit of DHS database security, we\n               conducted reviews of critical databases at the following DHS components:\n                   \xe2\x80\xa2    Emergency Preparedness and Response\n                   \xe2\x80\xa2    United States Citizenship and Immigration Services\n                   \xe2\x80\xa2    United States Coast Guard\n                   \xe2\x80\xa2    United States Secret Service\n\n               For each of the databases included, we determined whether the component\n               had implemented effective access controls, continuity of operations\n               capabilities, and change management processes. Our focus was to test the\n               implementation of secure configurations on the hosts controlling access to\n               sensitive DHS data. In addition, we obtained FISMA information required for\n               our annual independent evaluation.\n\n               To identify USCIS\xe2\x80\x99 critical database systems, we analyzed the DHS\n               Enterprise Architecture inventory of the Department\xe2\x80\x99s IT assets as of\n               October 2004. We supplemented this information with NIST SP 800-26\n               Security Self-Assessments, where available. Based on our analysis, we\n               selected the Central Index System for inclusion in our review.\n\n               To evaluate the effectiveness of controls implemented for the Central Index\n               System, we performed extensive manual security parameter checks on the\n               Central Index System mainframe computer operating system, security\n               software, and DBMS. Upon completion of the tests, we discussed the results\n               with USCIS.\n\n               We conducted fieldwork at the USCIS and ICE facilities in Washington, DC;\n               the DOJ Justice Data Centers in ------------------ and -       ; and, the\n               OIG\xe2\x80\x99s ATL. We conducted our audit from January to May 2005 under the\n               authority of the Inspector General Act of 1978, as amended, and according to\n               generally accepted government auditing standards. Major OIG contributors to\n               the audit are identified in Appendix D.\n\n\n\n\n             Security Weaknesses Increase Risks to Critical USCIS Database\n                                                Page 13\n\x0c  Appendix A\n  Purpose, Scope, and Methodology\n\n\n\n\n  Our principal points of contact for the audit are Frank Deffer, Assistant\n  Inspector General for Information Technology Audits at (202) 254-4100; and\n  Edward G. Coleman, Director, Information Security Audit Division at\n  (202) 254-5444.\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 14\n\x0c  Appendix B\n  Management\xe2\x80\x99s Response\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 15\n\x0c  Appendix B\n  Management\xe2\x80\x99s Response\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 16\n\x0c  Appendix B\n  Management\xe2\x80\x99s Response\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 17\n\x0c  Appendix B\n  Management\xe2\x80\x99s Response\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 18\n\x0c  Appendix B\n  Management\xe2\x80\x99s Response\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 19\n\x0c                        Appendix C\n                        FISMA Metrics\n\n\n\n\n    FISMA Requirements\n                        Title III of the E-Government Act, entitled FISMA, provides a comprehensive\n                        framework to ensure the effectiveness of security controls over information\n                        resources that support federal operations and assets.8 The agency\xe2\x80\x99s security\n                        program should provide security for the information as well as the systems\n                        that support the operations and assets of the agency, including those provided\n                        or managed by another agency, contractor, or other source.\n\n                        To comply with OMB\xe2\x80\x99s FISMA reporting requirements, we evaluated the\n                        major applications selected for this audit to determine whether DHS continues\n                        to make progress in implementing its agency-wide information security\n                        program. We collected information relative to certification and accreditation\n                        (C&A), system impact level determination, NIST SP 800-26 annual\n                        assessment, security control costs integrated into the life cycle of the system,\n                        assessment of E-authentication risks, specialized security training, and plan of\n                        action and milestones (POA&M).9\n\n                        Our evaluation of the Central Index System shows that the USCIS has not\n                        implemented certain security management practices into its information\n                        security program, as required by FISMA.\n\n\n\n\n8\n  The E-Government Act of 2002 (Public Law 107-347), signed into law on December 17, 2002, recognized the\nimportance of information security to the economic and national security interests of the United States.\n9\n  As required by: OMB M-04-04, E-Authentication Guidance for Federal Agencies and NIST 800-63, Electronic\nAuthentication Guideline.\n\n\n                      Security Weaknesses Increase Risks to Critical USCIS Database\n                                                         Page 20\n\x0c                            Appendix C\n                            FISMA Metrics\n\n\n\n\n                                       Table 1: FISMA Compliance Metrics\nFISMA Reporting Requirements                         USCIS                                Notes\nDoes the major application have a complete and                    The DOJ mainframe that the Central Index System\ncurrent C&A, including a risk assessment and                      resides on and the Central Index System applications\nsecurity plan?                                                    were certified and accredited separately. The\n                                                                  mainframe was issued authority to operate (ATO) on\n                                                       Yes\n                                                                  December 29, 2004, and the Central Index System\n                                                                  applications were issued ATO on December 29, 2003.\n                                                                  Both C&A packages include a security plan and a risk\n                                                                  assessment.\nHas the major application\xe2\x80\x99s impact level been                     The loss of confidentiality, availability or integrity of\ndetermined according to Federal Information            Yes        the Central Index System would have a high impact\nProcessing Standard 199 criteria?                                 on USCIS\xe2\x80\x99 mission.\nDoes the major application have a complete and                    An assessment of the Central Index System was\n                                                       Yes\ncurrent NIST SP 800-26 annual assessment?                         completed on October 11, 2004.\nDoes the assessment indicate that security                        The assessment indicates that controls are routinely\ncontrols have been tested and evaluated in the                    tested. However, we found that periodic vulnerability\n                                                        No\nlast year?                                                        assessments or configuration reviews are not\n                                                                  performed.\nDoes the assessment indicate that a contingency                   The assessment indicates that an IT contingency plan\nplan has been established and tested?                             has been developed but not tested. However, we\n                                                        No\n                                                                  found that the IT contingency plan for Central Index\n                                                                  System applications is not complete or current.\nHave security control costs been integrated into                  Security control costs are incorporated and reported to\nthe life cycle of the system?                          Yes        OMB as 10 percent of the system\xe2\x80\x99s operations and\n                                                                  maintenance funding.\nHas an assessment of E-Authentication risk            Not         The Central Index System does not provide direct\nbeen performed for the major application?           Applicable    services to the public.\nHave the system and database administrators                       System and database administrators receive the same\nobtained specialized security training?                           annual security awareness training that all component\n                                                        No\n                                                                  personnel receive. Specialized security training is not\n                                                                  provided.\nDoes the major application have any existing                      Although the POA&Ms for the Central Index System\nPOA&Ms?                                                           were not complete or current at the beginning of our\n                                                       Yes        review, they were updated prior to the completion of\n                                                                  our audit. As of May 12, 2005, POA&Ms were\n                                                                  entered for 16 Central Index System weaknesses.\n         Source: OIG table based on interviews with USCIS personnel and analysis of database documentation.\n\n\n\n                          Security Weaknesses Increase Risks to Critical USCIS Database\n                                                             Page 21\n\x0c  Appendix D\n  Major Contributors to this Report\n\n\n\n\n  Information Security Audits Division\n  Edward G. Coleman, Director\n  Patrick Nadon, Audit Manager\n  Jason Bakelar, Audit Team Leader\n  Chris Udoji, Auditor\n  Meghan Sanborn, Referencer\n\n  Advanced Technology Division\n  Jim Lantzy, Director\n  Michael Goodman, Security Engineer\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 22\n\x0c  Appendix E\n  Report Distribution\n\n\n\n\n  Department of Homeland Security\n\n  Secretary\n  Deputy Secretary\n  Chief of Staff\n  USCIS, Director\n  Executive Secretary\n  General Counsel\n  Chief Information Officer\n  Chief Information Security Officer\n  Public Affairs\n  USCIS, Chief Information Officer\n  USCIS, Audit Liaison\n  Director, Departmental GAO/OIG Liaison Office\n  Director, Compliance and Oversight Program\n  Chief Information Officer Audit Liaison\n  Office of Security\n\n  Office of Management and Budget\n\n  Chief, Homeland Security Branch\n  DHS OIG Budget Examiner\n\n  Congress\n\n  Appropriate Congressional Oversight and Appropriations Committees\n\n\n\n\nSecurity Weaknesses Increase Risks to Critical USCIS Database\n                                   Page 23\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or e-mail DHSOIGHOTLINE@dhs.gov.\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'